The present invention concerns a countermeasure method in an electronic component using a secret key cryptography algorithm. They are used in applications where access to services or to data is strictly controlled. Such components have an architecture formed around a microprocessor and memories, including a program memory which contains the secret key.
These components are notably used in smart cards, for certain applications thereof. These are for example applications involving access to certain databanks, banking applications, remote payment applications, for example for television, petrol dispensing or passing through motorway tolls.
These components or cards therefore use a secret key cryptography algorithm, the best known of which is the DES algorithm (standing for Data Encryption Standard in British and American literature). Other secret key algorithms exist, such as the RC5 algorithm or the COMP128 algorithm. This list is of course not exhaustive.
In general terms and briefly, the function of these algorithms is to calculate an enciphered message from a message applied at the input (to the card) by a host system (a server, banking dispenser etc) and the secret key contained in the card, and supplying this enciphered message in return to the host system, which for example enables the host system to authenticate the component or the card, to exchange data etc.
The characteristics of the secret key cryptography algorithms are known: calculations made, parameters used. The only unknown is the secret key contained in program memory. All the security of these cryptography algorithms relates to this secret key contained in the card and unknown to the world outside this card. This secret key cannot be deduced solely from knowledge of the message applied as an input and the enciphered message supplied in return.
However, it has become apparent that external attacks, based on current consumptions or a differential current consumption analysis when the microprocessor of a card is running the cryptography algorithm in order to calculate an enciphered message, enable ill-intentioned third parties to find the secret key contained in this card. These attacks are referred to as DPA attacks, the English acronym for Differential Power Analysis.
The principle of these DPA attacks is based on the fact that the current consumption of the microprocessor executing the instructions varies according to the data being manipulated.
Notably, when an instruction executed by the microprocessor requires manipulation of data bit by bit, there are two different current profiles depending on whether this bit is “1” or “0”. Typically, if the microprocessor manipulates a “0”, there is at this time of execution a first consumed current amplitude, and if the microprocessor manipulates a “1” there is a second consumed current amplitude, different from the first.
Thus the DPA attack exploits the difference in current consumption profile in the card during the execution of an instruction according to the value of the bit manipulated. In simplified terms, conducting a DPA attack consists of identifying one or more particular periods during which the algorithm is run comprising the execution of at least one instruction manipulating data bit by bit; reading a very large number N of current consumption curves during this period or periods, one curve per different message to which the algorithm is applied; predicting, for each curve, the value taken by a bit of the data for an assumption on a subkey, that is to say on at least part of the secret key, which makes it possible to make the prediction; and making a sort of the curves according to the corresponding Boolean selection function: a first packet of curves is obtained for which the prediction is “1” and a second packet of curves for which the prediction is “0”. By making a differential analysis of the mean current consumption between the two packets of curves obtained, an information signal DPA(t) is obtained. If the subkey assumption is not correct, each packet in reality comprises as many curves corresponding to the manipulation of a “1” as there are curves manipulating a “0”. The two packets are therefore equivalent in terms of current consumption and the information signal is substantially zero. If the subkey assumption is correct, one packet actually comprises the curves corresponding to the manipulation of a “0” and the other packet actually comprises the curves corresponding to the manipulation of a “0”: the information signal DPA(t) is not zero: it comprises consumption peaks corresponding to the manipulation by the microprocessor of the bit on which the sorting is based. These peaks have an amplitude corresponding to the difference in consumption by the microprocessor depending on whether it is manipulating a “1” or a “0”. Thus, step by step, it is possible to discover all or part of the secret key contained in an electronic component.
There are many secret key algorithms for the execution of which the microprocessor must at certain times manipulate data bit by bit.
Notably, the algorithms generally comprise permutations which require such manipulations by the microprocessor. By analysing the current consumption during the execution of these manipulations bit by bit, it is possible to find the value of some bits at least of the data item manipulated. Knowledge of this data item can supply information on intermediate results obtained during the execution of the enciphering algorithm, which in their turn can make it possible to find at least some of the bits of the secret key used.